Last Comment Bug 430814 - Crash [@ nsStyleContext::GetStyleDisplay] while trying to print
: Crash [@ nsStyleContext::GetStyleDisplay] while trying to print
Status: VERIFIED FIXED
[sg:critical?]
: crash, testcase, verified1.8.1.15
Product: Core
Classification: Components
Component: Layout: Tables (show other bugs)
: unspecified
: x86 All
: -- critical (vote)
: mozilla1.9
Assigned To: Mats Palmgren (vacation)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-25 09:06 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
8 users (show)
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (300 bytes, application/xhtml+xml)
2008-04-25 09:10 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
wallpaper (1.59 KB, patch)
2008-04-25 14:52 PDT, Mats Palmgren (vacation)
bernd_mozilla: review+
roc: superreview+
dveditz: approval1.8.1.15+
mconnor: approval1.9+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2008-04-25 09:06:25 PDT
See testcase, when clicking on the print button and then printing something,
current trunk builds of Mozilla crash.

http://crash-stats.mozilla.com/report/index/8f00214c-12df-11dd-92b9-001cc4e2bf68?p=1
0  	xul.dll  	nsIFrame::GetStyleDisplay  	 nsStyleStructList.h:95
1 	xul.dll 	nsCSSRendering::PaintBackgroundWithSC 	mozilla/layout/base/nsCSSRendering.cpp:3448
2 	xul.dll 	TableBackgroundPainter::PaintCell 	mozilla/layout/tables/nsTablePainter.cpp:634
3 	xul.dll 	TableBackgroundPainter::PaintRow 	mozilla/layout/tables/nsTablePainter.cpp:590
4 	xul.dll 	TableBackgroundPainter::PaintRowGroup 	mozilla/layout/tables/nsTablePainter.cpp:530
5 	xul.dll 	TableBackgroundPainter::PaintTable 	mozilla/layout/tables/nsTablePainter.cpp:446
6 	xul.dll 	nsTableFrame::PaintTableBorderBackground 	mozilla/layout/tables/nsTableFrame.cpp:1469
7 	xul.dll 	nsDisplayTableBorderBackground::Paint 	mozilla/layout/tables/nsTableFrame.cpp:1318
8 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
9 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
10 	xul.dll 	nsPageFrame::PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:562
11 	xul.dll 	PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:403
12 	xul.dll 	nsDisplayGeneric::Paint 	mozilla/layout/base/nsDisplayList.h:862
13 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
14 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
15 	xul.dll 	nsSimplePageSequenceFrame::PrintNextPage 	mozilla/layout/generic/nsSimplePageSequence.cpp:647
16 	xul.dll 	nsPrintEngine::PrintPage 	mozilla/layout/printing/nsPrintEngine.cpp:2368
17 	xul.dll 	nsPagePrintTimer::Notify 	mozilla/layout/printing/nsPagePrintTimer.cpp:90
18 	xul.dll 	nsTimerImpl::Fire 	mozilla/xpcom/threads/nsTimerImpl.cpp:403
19 	xul.dll 	nsTimerEvent::Run 	mozilla/xpcom/threads/nsTimerImpl.cpp:490
20 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:510
21 	xul.dll 	nsBaseAppShell::Run 	mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
22 	nspr4.dll 	PR_GetEnv 	
23 	firefox.exe 	wmain 	mozilla/toolkit/xre/nsWindowsWMain.cpp:87
24 	firefox.exe 	firefox.exe@0x217f 	
25 	kernel32.dll 	BaseProcessStart
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2008-04-25 09:10:24 PDT
Created attachment 317715 [details]
testcase
Comment 2 Mats Palmgren (vacation) 2008-04-25 14:52:36 PDT
Created attachment 317773 [details] [diff] [review]
wallpaper

Wallpaper, until we find the real bug...
This file already have this wallpaper in another place:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTablePainter.cpp&rev=3.25&root=/cvsroot&mark=413-415#408
Comment 3 Bernd 2008-04-25 23:39:01 PDT
Comment on attachment 317773 [details] [diff] [review]
wallpaper

The cited url was not wallpapering over a bug but rather defensive programming. I had a good share of crash bugs (one of them being a top crasher) after fantasai's paint patch landed, so the idea was to have a rather drastic assertion message that will ring all bells instead of having a exploitable array boundary violation.

I will do the core fix and then check if ff2 is also vulnerable.
Comment 4 Mike Connor [:mconnor] 2008-04-27 12:04:15 PDT
Comment on attachment 317773 [details] [diff] [review]
wallpaper

a=mconnor on behalf of 1.9 drivers
Comment 5 Mats Palmgren (vacation) 2008-04-27 14:36:49 PDT
mozilla/layout/tables/nsTablePainter.cpp 	3.26 

Filed bug 431087 on fixing the real bug.

-> FIXED
Comment 6 Mats Palmgren (vacation) 2008-04-27 14:45:48 PDT
Comment on attachment 317773 [details] [diff] [review]
wallpaper

The testcase does not crash 2.0.0.14 on XP/Linux/OSX, but the code looks
the same on branch.  The patch is trivial so it might be worth taking
just in case...
Comment 7 Bernd 2008-04-27 22:02:08 PDT
> he patch is trivial so it might be worth taking just in case...
Exactly this should go onto branch, there is no need for gambling there.
Comment 8 Daniel Veditz [:dveditz] 2008-04-28 11:19:58 PDT
Comment on attachment 317773 [details] [diff] [review]
wallpaper

approved for 1.8.1.15, a=dveditz for release-drivers
Comment 9 Marcia Knous [:marcia - use ni] 2008-04-28 13:32:45 PDT
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre. No crash with the testcase.
Comment 10 Mats Palmgren (vacation) 2008-04-28 14:26:53 PDT
Checked in on MOZILLA_1_8_BRANCH:
mozilla/layout/tables/nsTablePainter.cpp 	3.13.6.1 
Comment 11 Bernd 2008-05-03 03:55:44 PDT
Mats can we change the assert to something less draconian? Like a warning for a "nsTablePainter error" I will know what it means. This bug should stay closed till bug 424377 is fixed.
Comment 12 Al Billings [:abillings] 2008-06-10 18:05:28 PDT
Verified that the code got checked in. Also verified no crash in 2.0.0.14 and 2.0.0.15 (as said before).

Note You need to log in before you can comment on or make changes to this bug.